Pfsense needs very long for booting
-
if i disable ipsec and reboot, the pfsense needs only seconds to respond.
-
Sounds like maybe you have IPsec tunnels with hostnames for endpoints, and for whatever reason your DNS is not working when your system boots up.
-
Right. I never use IPs.
The pfsense uses my local DNS servers and the most hostnames are dyndns accounts with very short ttl.
-
Try using public DNS (like your ISP's DNS or google's public DNS 8.8.8.8 / 8.8.4.4) once and see if the boot time is faster.
If that works, it's probably because you are making a catch-22/chicken-and-egg scenario. The local DNS can't resolve because the filter isn't completely loaded, and the filter can't load because it needs to resolve DNS.
You can enter up to four DNS servers, it wouldn't hurt to put, say, a Google DNS server first and your local DNS second and third.
-
Yes i will try it.
But it's not a persistent config, because only my local server know the private topology and i only use root dns servers.
-
I tried it and it is like you said.
If i put 8.8.8.8 to dns it boots very fast. But i didn't really like external dns servers and i never did this befor.Is it possible to activate routing functions first and than enable ipsec?
-
I'm not sure how that process unfolds these days under the hood. I had thought it did just that, or used to, but there may be some other factor I'm not aware of.
Do you use hostnames in aliases? I thought that was supposed to load empty tables up in that case and populate them once DNS resolved (I may be misremembering the details of that though), but it may be holding up on that as well. Anywhere that uses hostnames in place of IPs in the config will require working DNS at some point.
-
I don't use hostname with aliases yet.
Perhaps you can reduce the dns timeout on boot time.
After booting you flush the dns cache and reload the rules. -
That's just a kludge to hide the real issue. The firewall needs real working DNS to function properly when given hostnames to deal with, there is no way around that.
-
It's not useable to wait 15 minutes for booting.
And it's not good to trust external dns servers.Perhaps it's possible to define some pre boot rules to allow dns requests from lan to wan.
-
It's not useable to wait 15 minutes for booting.
And it's not good to trust external dns servers.Just to put my $.02 here - you always have to trust external DNS servers if you want name resolution to work on the Internet at all.ย ;)ย Even if you have a local name server with your local domains in it, it queries the millions of other ones on the net all the time, recursively, when you look up a domain name that does not exist (or is not cached) in your local name server.
-
It's right.
But I only have to trust the chain from root servers to dest server and not a single one from google, t-systems, โฆ
It's time for secdns, but this doesn't mean they cann't block some requests. And you will know with secdns if they block. -
Ermal just committed a change to do a filter reload before it gets to the vpn setup. Try a snapshot dated after this post and it should be included.
-
Sorry.
Just tried it. No speed up. 14 min for booting.2.0-BETA4 (i386) built on Thu Dec 9 13:24:37 EST 2010
-
What is displayed in the boot log when it pauses for that long? Or does it stick in any one place?